February 18, 2025 • 41 mins
It's bad enough that cyber-thugs are coming for our businesses. And our bank accounts. But there's a new threat that is gaining traction: class-action lawsuits. But there's good news! A Plan of Action with Milestones (POAM for short) is your get-out-of-jail-free card. Listen up... and we'll break it down!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Justin (00:15):
Welcome everybody to episode 39 of unhacked. And,
yes, Mario, your hair is, isjust fine. Pristine, actually.
Mario (00:22):
It's perfect to the group. Right? Minus Brian?
Justin (00:25):
Minus Brian. We're gonna have to kick him out soon
enough. But, I'm I'm feeling badbecause mine's I know I gotta
polish mine. I'm a little bitscruffy. Anyways, alright, guys.
Let's get started here. Quickintroductions. I'm Justin
Shelley, CEO of Phoenix ITAdvisors, and I am here with my
regular cohost, Brian and Mario,and then our, you know, show up
(00:46):
whenever the hell we want,Barinder. Guys, take
Mario (00:48):
a second. Tell everybody who
Justin (00:50):
you are, what you do, and who you do it for, and,
well, let's go in this order.Brian, Mario, Barinder. Brian,
take it away.
Bryan (00:55):
Alright, everybody. My name is Bryan Lashko with b four
Networks. We help businessowners in the Niagara Region,
Ontario, Canada to solve all thefrustrations and headaches that
come with dealing withtechnology.
Mario (01:07):
Alright. Mario Zaki, CEO of Mastech IT, located in, North
Jersey, servicing the entire tristate areas for anybody that has
computers.
Justin (01:20):
Nice. Beautiful, beautiful, Brinder.
Barinder (01:23):
Yeah. Brinder Hans with Red Rhino Networks. We're
based out of, Vancouver, BC.And, similar to these guys,
we're a managed IT servicesprovider, and, we take care of
IT, so so our clients can focuson their business.
Justin (01:37):
Alright. Guys, we all met, you know, we go back, what,
every three months or so, fourmonths, every three months. You
know, we all got together inthis peer group of IT
consultants, and we frequentlysit around and we shoot the shit
and we're, half the time we are,you know, sipping a beer or
something. But one of the thingsat at this most recent
convention that was talked aboutand Mario, I'm actually gonna
(01:59):
punt this to you because youbrought it up. Go ahead and take
this.
What was it that you guys weretalking about?
Mario (02:06):
So one of the questions that was asked to, you know,
about 300 IT companies in theroom was when a business owner,
like a prospect, is looking fora new IT company, what is
typically the most importantthings that they choose when
selecting an IT company? Andeverybody in the room voted that
they feel the, you know, theirrespond the the response time of
(02:29):
the IT company was the mostimportant thing. The fees, like
how much they charge, and theexpertise in the industry. Those
were the top three in that orderthat the majority of the thought
that these when a prospect ischoosing an IT company, this is
the three things that they'reThat's
Justin (02:50):
what they're asking us. Right? They're coming to us
saying how fast are youresponding, what do you charge,
and how good are you?
Mario (02:56):
Yeah. And and when when they asked the same people,
well, what are when what do youthink they should be asking?
What are the top three thingsthat you should be asking? And,
overwhelmingly, the the mostpopular answer was the security.
You know?
Number two was the, you know,the response time. Number three,
(03:18):
if they were like, you know, howclose they are to the to the to
the building. But security forfor for the for when, you know,
asking the prospect or what weyou know, based on conversations
we've had, it ranked number fivein that list where IT people
felt like it should have beennumber one.
Justin (03:38):
Should be number one. And they're coming in with,
maybe maybe that's important.
Mario (03:43):
What else what else? And and, Mario, okay. So that's your
memory of it. Brian, Brendon, doyou
Justin (03:48):
guys have any thoughts on what is it that our prospects
are asking when they come to us,and what should they be asking?
Barinder (03:56):
Yeah. So I was in the room when and I'm thinking about
that question. And one half ofme is thinking like a a a
technology person and thinkingabout cybersecurity. That's the
primary important, item we thinkthey should be focused on
because we understand the riskto their business. But I'm also
(04:16):
of the, belief that our client'salways right.
If they're focused on growingtheir business, they have other
priorities, which is what wehave to think of when we try to
get in their minds, in theirshoes. They do wanna, address
the cost. They do wanna addresshow fast it is because those are
important to their business. Andthis is the unfortunate part of
(04:37):
cybersecurity in my world. Like,a business doesn't gain anything
by investing in cybersecurity.
They just prevent themselvesfrom losing something at best.
And that is important, but riskis a hard thing to quantify. If
you're a very big multibilliondollar business, you have risk
analysts to get you a number ofwhat your risk is, and you can
(04:57):
make good decisions about it.But your typical hundred person,
15 person, whatever companydoesn't have expensive risk
analysts working for you. It'snot a line item that shows up on
your p and l.
And so those are some of thethoughts that were running
through my mind as I'm listeningto this conversation.
Justin (05:14):
Okay. Brian, what are your thoughts?
Bryan (05:17):
So when I was in the room, one of the things that
first popped into my head wasthat, a lot of IT providers
don't really have the maturitylevel that they should. So I
would be looking at the maturitylevel of of the IT provider. And
what I mean by that is it mightbe hard to quantify for most
people, but do they havesystems? Do they have processes?
Look at how they do theirmarketing and how they do their
(05:38):
sales process.
Are they following somethingthat's logically step by step,
or are they just kinda wingingit and and and, going about it
like as if it was the first timethey've done it? I have, you
know, coached a lot of other ITproviders, and a lot of them
don't have any systems, anyprocesses. They they don't
really know how to, you know,organize their business on a day
(05:58):
to day basis. So I would evensay, hey. If I were evaluating
an IT company, show me show meyour playbook.
Show me what you have as far asprocesses and procedures. Do you
have SOPs? Do you have any kindof standardized way to set up a
computer and set up your youryou know, if there is a
cybersecurity incident, show mewhat you would do. Right? And
that would be what I would belooking for because even though
(06:20):
fast response is important to meas a business Improving and
incrementally improving overtime.
And that only comes fromsomebody who is actively working
towards building systems andprocesses in their business.
Mario (06:42):
Yeah. But will the average prospect or average
business owner know to askthose? You know? I mean, yes.
You could educate them whenyou're sitting in there and say,
you know, by the way, you shouldbe looking at that.
But the problem is, I think,when they do look at it, I don't
know they're gonna know whatwhat it really should be. You
(07:03):
know? Like, they don't know whatthey don't know. You know? Like
yeah.
You know? Obviously, you know,comparing a company that has,
like, fifteen, twentytechnicians have been in has
been in business for fortyyears. They're gonna have
process, you know, and and, youknow, some structure versus,
like, a company that's threeyears old that has two people
(07:23):
and something like that. But,you know, a lot of times, those
two people very rarely are inthe the the same room or the
same running
Justin (07:32):
Right.
Mario (07:32):
For for a type of company. So I I I I I agree with
you 200%, but I don't know ifthe average prospect will know
Justin (07:42):
that. And that, Daniel, is exactly why they should be
listening to UnHacked. Yeah.Because we are here to teach
them, to educate them, so it tothe so they know. I mean, you
know, because honestly, theydon't, like listen.
If I'm choosing a doctor, forexample, I have no idea. I don't
even know what I'm looking for.But I know I want the best. I
know I don't, you know, my mygirl just had to go into she had
(08:03):
a torn retina. And, like, adoctor's gotta take a fucking
laser and shoot it into hereyeball.
I don't know how to pick thatguy. I just hope he knows what
he's doing. I I picked this guy.Well, actually, it was a
referral, but I I know he'sflying us, a citation jet
around. His office was busy.
He was full, and and I didn'tsee a lot of people complaining
(08:24):
that they came out blind. But,like, it it is kind of a scary
thing as a prospect when they'repicking an IT provider that is
handling some of the mostimportant assets that they can
quantify. We can't you know,some of these, I don't remember
which of you mentioned. Theycan't quantify risk. But we we
(08:45):
it is incumbent upon us to teachthem and to educate them and
help them make these decisions.
Right? That is one of the mainthings that we do here.
Secondarily, maybe it's even onpar. But I I say this all the
time. I am here to learn.
Right? I'm here to educate. Iwanna teach my prospects, but
I'm also here to learn. And ifyou guys remember back to
(09:06):
episode 27, we had JosephBrunsman on the show, and the
title was something about makingyour making sure the insurance
company pays out in the event ofa breach. That's what's on my
mind.
And if somebody had asked, youknow, if I'd been there, I I
wasn't there this time when thispoll or this question was asked.
But I would have been talkingabout, like, our number one
concern should be keeping thethe Russians out of our bank
(09:27):
accounts. Right? That's what wetalk about. I've got even got my
little, Boris Grashchenko guythat I talk about.
That's who we're fighting. Well,I think I was a little bit
blinds blinded by this. Nowhereon the list that you guys have
brought up and nowhere on mymindset prior to episode 27 was
I talking about the fact thatour biggest fear should be that
we don't get sued after abreach. Like, it's bad enough.
(09:48):
We get we get breached.
They take all our money, andwhatever crumbs are left, the
attorneys come up behind us andsuck that up. Right? It's just
like it it's crazy. I was at, Iwas at an event this morning,
and somebody asked me, what doyou do? I'm like, well, people
call me because stuff breaks,and they want me to fix it.
Right? Response times,everything that we just talked
about. And then I said, butbehind the scenes, what I really
(10:10):
do, what I'm passionate about,what I lose sleep over is making
sure that nobody breaks intoyour bank account and steals
your money. And that if thathappens, god forbid, the
attorneys don't come up and takeeverything else that's left. So
Yeah.
And and this point was even madefurther when we are all you
know, we all jump on this andwe're getting ready to record.
And, Barinter, what did you sayabout these lawsuits that
(10:32):
happened post breach?
Barinder (10:36):
So, yeah. Like, I mean, are we talking about, the
the life lives incident where,we're Well, when
Justin (10:44):
I said, hey. We're gonna talk about, these breaches and
Oh, yeah. Follow-up lawsuits,and you're like, doesn't apply.
Barinder (10:49):
We're Canadian. Yeah. Yeah. We're Canadian. We don't
we're not as litigious as as asa US, but I mean, it does happen
here.
It's not obviously, not the samelevel as a US, but it is
absolutely a concern, and it isrising. That's that's the other
thing.
Justin (11:03):
That's the point.
Barinder (11:03):
Is people need to recover costs, whether it's your
insurance provider, the theindividuals that are affected
and protected by the privacylegislation in Canada. There are
lawsuits. They're rising. And,and there's actually new
legislation on the books thatthe government is trying to work
through. We're just furtherbehind than the EU and The US.
Right. But we will get there. Imean, our legislation on the
(11:26):
books is old.
Justin (11:27):
In in our industry, we are not talking about this. And
so, you know, one of the thingsthat I I love the podcast. I
love everything I learned. Butweek after week, I I do kind of
think we talk about the samestuff over and over a lot of
times, because it is it's a it'sjust a routine. It's it's our
lives.
Right? But this is one examplewhere we can actually get ahead
(11:47):
of something that is a trend.It's getting worse, and it's not
being talked about. And that iswhy I wanted to, kinda introduce
this today. Not introducedbecause we've talked about it.
We have an episode where therewas a $400,000,000 lawsuit on
the the heels of a breach. It'snot that we haven't talked about
it, but the trend is, it'sgetting worse. So let's go
ahead. Guys, let's let's jumpinto this idea of, you know, the
(12:12):
this rising risk. What do we doto get ahead of it?
How do we prepare for it? How dowe make sure it doesn't happen
to us and to our clients? And,Brenda, I'm gonna punt it back
to you because you were the youyou went out. You found a case
study in record time, that doeshappen or did happen in Canada.
And then, Brian, I think you hadone too.
So why don't you guys, talkabout that? And then, Mario, you
(12:33):
better be studying fast becauseI'm I'm coming for you next.
Brenda, go ahead.
Barinder (12:37):
Yeah. Well, the one that affected me personally was
LifeLabs had a breach. LifeLabsdoes, your blood test, your
analysis, and such, and thishappened just before COVID.
Right? And they have this databreach where they lost our blood
test records.
They do all your diagnostics,and and I got an email
afterwards. Yes. You were on thelist of, you know, people whose
(12:59):
data was breached. Butultimately, Canada is, unlike
The US, our fines are verysmall. And the fines that,
Lifelab, I believe, had to paywas something like $1,300,000.
And that's, a paltry sum ofmoney. And, ultimately, when
COVID hit, they got all thecontracts to do all the COVID
testing, everything, so theymade lots of money. But
(13:21):
$1,300,000 is nothing to theseorganizations. It is not a
deterrent for them to invest incybersecurity. So as business
owners, because this one helped,impacted me as an individual,
and that organization is gettingsued.
But as business owners, we needto protect ourselves with
cybersecurity insurance becausewe won't have the same resources
that those connections thatthose companies do, if we get
(13:44):
sued. And Right. That's not thethat's not that's a small one,
but in Desjardins case, they hada $200,000,000 class action
lawsuit after an insider, causeda massive loss of private data.
And so, you know, there are somebig numbers as well.
Justin (14:00):
Okay. Brian, what are your thoughts on this?
Bryan (14:04):
Well, it's it's becoming more and more apparent that the
legal side is is pushing like,insurance and legal side are
pushing the agenda with regardto cybersecurity, like meeting
with a prospect, and talking tothem about cybersecurity. They a
lot of and a lot of times,they're not all that interested.
I mean, they want to havesecurity and they want to be
(14:25):
secure, but it's not theirprimary objective. Right? That
that's the primary objective ofinsurance and legal, and that's
why the agenda is being pushedbecause if you want to have
cyber insurance, they will sayyou have to have these things in
place to us saying, hey.
We need a b c because myinsurance company told me I had
(14:45):
to. Not because I want it, butbecause I'm being told I have
to. With that said, a lot morelawsuits are happening in
Canada, and, and I know it'sit's common practice in The
United States. But in Canada,they're starting to become more
and more prevalent and, thepayouts while Brenda, you laugh
at 1,200,000.0 is is nothing to,you know, LifeLabs. It's a huge
(15:07):
amount to any small company.
Again, that that's that's Yes.Crippling to an organization.
Like, if if I was sued and andit cost me 1,200,000.0, that's
more than our insurance by acouple hundred thousand. Right?
Because, like, we have maybe Iactually think we have
$2,000,000 liability now forcyber insurance.
But anyway, I digress. Thesethese amounts are still they're
still large for a business. Ifyou don't have insurance, you're
(15:28):
kind of you're kind of screwed.And so, having just the basic
protections in place isimportant. And one of the key
cast we had with, one of the themembers that I can't remember
who it was.
But it's basically if you aretold by anybody that you have to
(15:48):
have these five or six things inplace and you dismiss the whole
thing out of hand, that email isthe cha ching email to lawyers.
Right? They're they're lookingat that going you knew and you
didn't do anything about it. Butif you knew and even just
started a journey and say, okay.Let's do the first one and then
we'll work on the second one andthen we'll work on a third one.
And as budgets allow, we'llwe'll we'll keep working on
(16:09):
different things to implement.Now they're looking at it going,
well, they knew they had aproblem, but they were working
towards resolving the issues.And that will go a long way to
reducing any kind of majorpayouts with any kind of legal
Justin (16:24):
yeah. Joseph Bruntman. That's that's the episode that I
mentioned before, and that isthe one who kind of Yeah. Put it
on my radar. Like I said, we'vetalked about it a little bit,
but that was kind of
Mario (16:32):
a you know, it it went from just
Justin (16:34):
it it's out here somewhere to, like, big old
fucking spotlight. Justin, youbetter pay attention to this
right now because, man, I I cameaway from that episode with a
new Exactly. Outlook on thisstuff. Mario, what are your
thoughts on this?
Mario (16:47):
I I completely agree. It it's just like, Joseph, Brunsman
said in our episode 27. It ifyou're showing that you're
putting in the effort, you'reyou're you're doing the
security, you know, like,fortunately, shit happens
sometimes. You know? But theproblem is and I don't know how
it is, with our future fiftyfirst state, you know, right
(17:10):
now.
But in The United States, wethey and it's been like this for
a while. They they have thementality, you know what? I'm
gonna sue this month, you know,sons of bitches. You know? Like,
they have the mentality.
They wanna sue right away. And,you know, sometimes, you know,
obviously, anybody can create acase. You know? Could they win?
Could they lose?
(17:31):
If they show that they, youknow, they took all the proper
precautions, this is thesecurity we had in place, we did
this, we did this, we did this,and should happen, you then you
know, the case is is not there'sno negligence, you know, in
there. You know? And and that'sthe problem is a lot of these
companies will have, like,negligence or somebody, like, I
(17:55):
believe, Justin, you mentioned,I think, in one of the cities
in, I think, Texas, you know,there was somebody there saying,
listen. We need to do this. Weneed to do this.
We need to do this, and theytold them f off. You know? And
then that fire where there's aYeah. Like Yeah.
Justin (18:09):
Thanks for bringing that to our attention. Shut up. And
he didn't shut up. I'm like,alright, you're out. Fire them.
Yeah. You know, not a not agreat great strategy, especially
if the attorneys are sniffingaround.
Mario (18:21):
And real quick, I wanna I wanna talk about
Justin (18:23):
the money because, Brian and Brenda, you you guys are
absolutely right. The good oldUnited States Of America is very
sue happy. And, we don't wedon't play around when we do
this. We we go for the throat.In fact, I had to do quite a bit
of research to find numbers thatwere even, like, meaningful to
our audience because we're we'retalking in the hundreds of
(18:46):
millions.
The the lawsuit settlements, thecost of the breach, and, you
know, and this Equifax. Sothey're a huge company, and I
get it. And these numbers don'treally but but I I wanna make
the case. After all was said anddone, the court mandated
security improvements inaddition to everything else.
(19:08):
Just the improvements they hadto make after the fact was a
billion dollars with a b.
So it's like, guys, you can youcan do security on your own. You
can put the plan of action inplace. You can have your
milestones. You can cover yourass, or you can have the court
system do it for you. And, youmight not find that to your
advantage.
(19:29):
Thoughts?
Barinder (19:31):
Well, so so many businesses shut down after I
made a major data breach. Theyjust don't they just don't
recover. Either they don't getthe assets back because they
lost the data. It was encrypted,and it was broken. They just or
the hackers never released it.
So and that's without even alawsuit. And then the lawsuits
become so crippling. I mean, somany business owners will just
say, hey. I'm done. I don't Idon't want any part of this.
(19:51):
You know? Had a good run. We'reout.
Mario (19:54):
Yeah. Yeah. And the problem is when the the court
mandates it, they're gonnamandate it, like, hard. You
know?
Barinder (20:02):
Like Yes.
Mario (20:02):
A lot like, $1,000,000,000 most likely, you
know, there's a lot of overkillthere. I I don't know any of the
details, but I'm gonna assumethere's a lot of overkill. So
the problem is now not only arethey forcing you to put this
stuff in there, but they'reforcing you to put stuff in
there that you may have neverneeded to put in there. You
know? And at a lower scale,small you know, the smaller
(20:24):
businesses, it's still that'sstill gonna happen.
You know? If a if a CPA'soffice, you you know, gets
breached and, you know, say he'sgot 200 customers' data that was
leaked, They're not gonnamandate them to put a billion
dollar worth of security inthere, but they're gonna mandate
them to do a lot, you know, anda lot of the stuff that maybe
haven't may not have been neededon top of the credit monitoring
(20:48):
and all that stuff.
Justin (20:49):
No. That's a good point. You you may get the option to
make decisions on your own, ifyou do it in the right time
frame, if you do it before youget hit. But Yeah. Yeah.
Once post breach, you you reallythose options are removed from
you, assuming that you survivethe the attack. Right? Assuming
that the business even survives.Mhmm. You know, because all
these costs, what we also don'ttalk about a lot is the
(21:11):
reputational damage.
We're gonna have a guest on hereI'm pretty excited for. He's a
an attorney or he is a partnerin a law firm that does high
profile divorce cases.
Mario (21:22):
And I mean, like, professional athletes and Mhmm.
Justin (21:25):
Hollywood, you know, that kind of stuff.
Barinder (21:27):
Yeah.
Justin (21:27):
And his there's a competing firm in his area that
was breached. So imagine goingout and trying to convince, you
know, a a movie star or thequarterback of your favorite
football team, hey. Let mehandle your divorce case. Oh, I
mean, don't worry about the factthat we got breached. We fixed
it.
You know, it's like the courtmade us do it, but we did do it,
so we're good. You know, likethis reputational damage is is
(21:51):
also something that isn't youyou can't always overcome. Yeah.
Yeah.
Barinder (21:55):
Yeah. Yeah. Especially in a situation like that where
trust is what you're selling. Alot of people Right.
Professional services, trust isking.
Justin (22:01):
And isn't that what we're all selling, though? I
mean, really, what what's thatcommon phrase that people do
business with? The ones thatthey know, like, and trust.
Right? Yeah.
I think I got that right. Buttrust is the keyword. If if you
can't trust the person you'rewriting a check to, I mean, why
are you not writing that check?
Mario (22:17):
Yeah. And one more thing too. It's not only the the that,
but the the trust with yourclients, or your vendors, people
you're working with. You know, alot of times you'll see you'll
just get a random email, youknow, from, like, a vendor or
something, and it look they'relike, oh, click on the
(22:38):
SharePoint link that we sentyou. And, you know, you know
like, we know that it's it'sbad.
It's a virus. They got hackedright away. We know. Like, these
guys are not legit. You know?
But what could end up happeningis you can f in not only infect
your selves, but you can infectyour customers. So, you know,
(22:58):
how long does it take you to getback up and running? Alright?
And, well, how long does it takeyour cost your client to go back
get it back and running? Youknow?
Justin (23:06):
Mhmm. A lot
Mario (23:06):
of times and we see it a lot in the construction agency,
you know, the the niche thatwe're in. You know, like, you
could have, like, a three manelectrical company that's
working with, like, a hugecontractor. And if they breach
that contractor, well, guesswhat? You know? Like, that's
gonna be a huge problem when youyou better bet you better
(23:27):
believe that they're not gonnawork with you again.
You know? So these guys need toalso vet who they're working
with and and stuff like thatbecause they don't wanna be, you
know, infected and, essentially,within their, you know,
ecosystem.
Barinder (23:42):
Yeah. And we've seen that happen in Canada. So a lot
of, obviously, insurance ispushing down a lot of
requirements to, organizationsto be to be acceptable to
receive insurance from them. Butthen, a lot of our clients are
coming to and say, hey. We justreceived this big cybersecurity
questionnaire from one of ourprimary vendors or customers,
and and we can't sell to themand we want their business until
(24:06):
we meet this criteria.
We just need to answer this. Andand and so there's a lot of top
down enforcement, of a lot ofcybersecurity improvements.
Otherwise, you just won't getthe business, which is healthy,
I think, for the for the ITecosystem.
Mario (24:24):
I agree. Yeah. But when it
Barinder (24:27):
comes to insurance, a lot of these lawsuits, sure, the
average individual or the thepeople affected will, will sue
you. But a lot of times, the oneinsurance company sues the
insurance company, and and ifthere's any sort of negligence
or a lack of responsibility bythe end customer, they're all
coming to you to ultimately say,hey. Make us whole.
Justin (24:49):
Coming say that coming to who? The IT company? Is that
what you're talking about?
Barinder (24:53):
No. No. No. I'm talking about the customer, the
end customer. Okay.
Customer gets sued. Yeah.
Justin (24:58):
Yeah. Okay. Yeah.
Mario (25:02):
Yeah. So one So it was a long story.
Justin (25:04):
Yeah. Well, I mean, as I was prepping for this, I'm going
through the, case by case, andthere's there's a lot of them.
Well, point, point a. The what'shard preparing this because our
audience, we are not talking tothe, you know, Equifax companies
of the world. We're talking toour client base, which generally
(25:25):
speaking is smallerorganizations, you know, a
couple hundred employees andlower.
These cases don't make the news.And so then two conclusions
could be drawn. One, I'm toosmall to get hacked. That is a
common misconception. And two,guys, if if these great big re
(25:46):
organizations with seeminglyendless resources are still
getting hacked, what hope do Ihave?
So why does it matter? Like, wejust get into this almost a
hopeless, apathetic state. Andso the point I wanted to make is
that while it's not making thenews, the damage is real. The
numbers are proportionate. Sowhile, you know, I'm talking
(26:09):
about a billion dollarenforcement for Equifax, you
know, my small company is notgonna get hit with a billion
dollar you know, you've gotta dothis much cybersecurity
infrastructure work, but it'sgonna be proportionate in both
my number of employees, the therecords lost, the data stolen,
and the size of my company.
(26:30):
But it's still gonna hurt. It'sgonna be a lot worse than if if
I had chosen to do this on myown, you know, accord before
things got ugly. But, yeah, moreand more, the other thing I saw
as I was going through thesecases is that, you know, the
attorneys are and the courts areare mandating not just to make
(26:51):
the client whole financiallyand, you know, with identity
threat or identity theftprotection, but they're also
coming back to the company andand forcing these technical
improvements, thesecybersecurity improvements. So,
man, this is going back toepisode 27 with Joseph Brunsman.
The simplicity of the solutionis really what struck me.
(27:14):
Like, we're not talking aboutrocket science here. We're not
talking about throwing all ofour money at the problem. We're
just talking about beingproactive and having a plan in
place and acting on the plan.You have to show that you're
acting on it as well. But ifthat's in place, chances are
you're not gonna get breached inthe first place.
God forbid you do. Chances areyou're not gonna get hit with a
lawsuit. And if we go to theabsolute worst case scenario,
(27:37):
you do get hit with a lawsuit,it's gonna be significantly less
than if you were not, proactiveand working on these things. So,
that was that was kind of my mytakeaway from the research and
and prepping for today'sepisode. So, because
Bryan (27:53):
the courts frown on people who are neglectful,
right? If I
Justin (27:55):
mean, that's all it is. Yeah. Yeah. Negligence. Yeah.
Mhmm.
Bryan (27:58):
If you're if you're taking some action and you have
a plan and you're enacting thatplan, it's a lot different than
if you were completely ignoringthe issue altogether. Yeah. And
the courts recognize that.
Barinder (28:11):
I actually think that, most of the the sub 500
companies, the type of companiesthat we work with, I actually
don't think cybersecurity takingcare of the fundamentals is that
expensive. I actually think it'squite affordable, reasonable,
definitely way cheaper thangoing through a breach. If you
take care of the fundamentals,you reduce your risk by, let's
say, 90%. And that last 10%might cost you a lot if you
(28:34):
really have importantintellectual property, important
confidential data that you needto preserve and protect. But
getting to the 90% mark isactually very affordable and
reasonable and prettystraightforward to do as long as
you have a good IT company orcybersecurity company working
with you.
And there's no reason anybusiness shouldn't be doing it.
And if an IT partner isn'tcapable of doing it, I mean,
(28:55):
there's lots of those thatexist, find one. But I don't
think cybersecurity is thatexpensive.
Justin (29:02):
No. It really isn't. And, I but we're I mean, we're
kind of back full circle. We'rewe're back to the beginning now
as somebody who is not trainedand is not this is not their the
life they live. Knowing, youknow, vetting that IT company
does become challenging.
I will I will grant them that. Iposed this question, I think,
was it? I'm not gonna say a namebecause I don't remember. We had
(29:23):
a guest on here. And and the thepushback was, I mean, you're
CEO, you gotta know something.
You know, you gotta do yourhomework. You can't just and,
you know, that's the bottomline. Ignorance is not gonna be
an excuse. Not knowing is notgoing to help you. Not having a
plan of action in place, becauseyou you thought everything was
okay is not going to help you.
The the courts, the attorneysare just gonna say, well, you're
(29:45):
living under a rock. I mean, areare you really not aware of the
fact that companies are gettingbreached day in and day out? We
as CEOs, god, we have to knoweverything. We have to wear all
the hats. And if I mean, I don'twanna be too rude, but if if
that's not the world you wannalive in, then you probably
better find a different gig.
No. Yeah.
Mario (30:05):
I mean, the problem is that it's it's also technically,
it's it's optional. You know?And unlike car insurance in at
least in New Jersey, you know,it's not optional. You wanna
drive, you have to have carinsurance. You know?
As an employer, if you haveemployees, you have to have
workman's comp insurance. Youknow, there's certain things
that are meant you know, ifyou're financing a house, you
(30:27):
need to have home insurance. Youknow, it's not it's not
mandatory. It's optional. Andunfortunately, when people feel
like something is optional andthey have that same mentality
that you mentioned earlier,well, we're too small, you know,
and stuff like that, they'relike, I don't need it.
You know? But it really shouldnot be especially, like, there's
(30:49):
certain industries that itshould be enforced, if not in
all of them. You know? Like, ifyou're dealing with people's
Social Security, if you'redealing with people's credit
card and stuff like that, thisstuff needs to be mandatory.
Justin (31:01):
And everybody is, by the way. Everybody is dealing with
we're gathering thatinformation. If you're taking
payments, unless you're takingcash, you're dealing with,
somewhere you're collecting thatinformation. And while you're
right, it's not mandatory inmost cases. The gathering of
financial data is regulated.
You've got PCI compliance, ifnothing else. If you're in
(31:22):
health care, you're regulated.If you're in and again, I'm
speaking in The United States. Idon't really know the the laws
in Canada, but some of the stuffis regulated. And then, Mario,
Mario (31:33):
it's great to be in that situation where it's not
mandatory until you get,breached and then sued, and then
all of
Justin (31:39):
a sudden, guess what? Now it is mandatory by, court
order. That's where we don'twanna be. That's what we're
trying to prevent. Alright?
Keep it optional, guys. Let'skeep it optional. Yeah.
Barinder (31:48):
I I I get that it's hard to for a business leader
to, assess the risk and makedecisions when it comes to their
IT and cybersecurity, what arebest practices. But I'm pretty
sure all of us on this,conversation here today have
downloadable IT buyers guide,like a a cheat sheet for any
business leaders to be able tomake that assessment for
themselves. Go download it from,you know, any one of our
(32:10):
websites or type in a sentenceinto any one of the AI apps.
Like, what are my cybersecurityfundamentals I need to do based
on a company this size? It'llspit it out to you in two
minutes flat.
And and there's I I thinknowadays with the tools we have,
there's no excuse. We have to beproactive as business leaders.
And and it's not as hard as itused to be, thankfully, and not
(32:31):
as expensive as how it used tobe. The tools that we you just
have to have good IT companiesthat know how to use the tools.
Buying the tools and legacy on ashelf else isn't a very good
idea.
You have to have competentpeople behind the scenes to be
actually, like, use it properly.A lot of the tools actually like
Microsoft three sixty five, ifyou just enable the right
settings, it doesn't even costany money. Just do it.
Justin (32:53):
Well, you know, okay, Mar or, Brenda, you're you're
bringing up something that'sbeen in my mind. You've got,
you've got this mindset of,maybe correct me if I'm wrong.
Have you guys gone to a prospectand said, hey. What are you
doing for cybersecurity? Or areyou sure you're secure?
And you get this answer. My ITguy has it covered. Have you
(33:15):
guys ever heard that?
Barinder (33:16):
Oh, yeah.
Justin (33:16):
All the time.
Barinder (33:17):
And I've I've I've got an anti and I've got an anti
virus.
Bryan (33:20):
Right. And
Mario (33:21):
Yeah. That's fine if you know.
Justin (33:24):
How do you know? How do you know? Because you're writing
a check? You think that's theright answer? You think you're
gonna go to court?
And, like, hey. I've got an ITguy. I wrote a check. Right?
Great.
And they may bring the ITcompany in. It doesn't matter.
It's still your responsibility,mister CEO. Mhmm. But I'll I'll
tell you the simplest in thisI'm going back to Joseph
Bronson.
Love that guy. The answer ispretty easy. You know they've
(33:47):
got you covered if you'remeeting them with them on a
regular basis and you'rereviewing what it is they're
doing to protect you. Andthey're making recommendations
and you have it on a plan.You've got it on a a three year
or five year road map.
That's how you know your IT guyhas you covered. That's how you
know that when you're writing acheck, you're getting what you
pay for. Yeah. So, guys, finalthoughts. We'll move to wrap
(34:10):
this up because, pretty soonwe'll just start looping, which
I love to do, but, nobody lovesto listen
Mario (34:16):
to it. So, let let's go ahead and do final thoughts,
lessons learned,
Justin (34:21):
key points, and then we'll wrap for the week. And, I
go ahead and look forward to ournext guest. Mario, why don't you
take it first, your keytakeaway, Birender, and then
Brian, you can bring us home.
Mario (34:33):
I mean, key takeaway is, you know, always, you know, be
on the lookout. Always see ifyou can, you know, improve in
something. Always get a secondopinion. You know, we always
offer, you know, a free securitynetwork assessment. You know, we
actually offer it all the time.
(34:54):
And I I was sitting withsomebody a week ago, and they
said those exact same words thatyou just said, Justin. My IT guy
has it covered. I just happenedto look over, you know, in the
middle of, you know, the Ilooked over and I saw a computer
that was logged in, and theirantivirus was Kaspersky.
Barinder (35:12):
Oh,
Justin (35:12):
god. And
Mario (35:13):
for anybody for anybody that doesn't know what Kaspersky
is, it's a antivirus that isbased in Russia. It's the
Russians. We always talk about
Justin (35:24):
the Russians are coming. The Russians are coming.
They're, protecting the Russianswith the Russians. Great.
Mario (35:29):
And, you know, I told them, like, well, does he know
that the antivirus that, youknow, you're using, that it it's
not even sold in The UnitedStates anymore? Go ahead and go
to their website.
Barinder (35:40):
It's it's banned in The US now. Yeah. Yeah.
Mario (35:42):
Yeah. You go right to their website. Right up there,
it says this is not availablefor US res you know, for US
residents or companies. I'mlike, you know, right if that
doesn't and and I told them,like, I'm not even gonna
continue with the meeting. Ifthat doesn't show you right now
that he doesn't have youcovered, then I don't wanna
waste your time.
You know? And, you know, itworked. You know? So it's stuff
(36:04):
like that. You always have to,you know, even for us, you know,
we're always, you know, checkingout other things, making sure
we're doing things the rightway.
You know, there there's nobetter way to do it. You you
always have to get at least geta second opinion, you know,
whenever you can.
Bryan (36:20):
Alright. Very good.
Mario (36:23):
Next up, Brenner.
Barinder (36:24):
Yeah. So before I jump into a couple of, final, parting
thoughts, I just wanna share,like, the most preparation for
this podcast, the most Canadianexample of a cybersecurity
breach I could find. So TimHortons, which is as Canadian as
it gets. Right? It's hockey andTim Hortons.
I guess they started, trackinguser location with the app,
(36:45):
without users' consent, and theyultimately settled by offering
customers a free coffee and adoughnut.
Bryan (36:54):
I got mine. Sign me up.
Barinder (36:56):
I know. I I I somehow missed the boat on that. But
Yeah. But that's how lax we areabout these breaches in Canada,
and I think that needs tochange. As far as tips for,
business leaders, to know ifthey're being served well and
things to watch out for is, doestheir IT professional know what
sensitive data they have?
(37:18):
And do they truly feel that'sprotected? In every discovery
meeting, I always ask, what isthe most sensitive data? What
can you be sued for? Obviously,there are Social Security SIN
numbers, for every businessbecause you have employees. But
there's more.
Credit card numbers,intellectual property, there
could be a number of things. Ifsomebody hasn't asked you those
questions, start looking forsome second opinions.
Justin (37:39):
Yeah. Good, Brian.
Bryan (37:41):
Okay. Taking it home. Lessons learned. Cybersecurity
is not static. Cybercriminalsdon't look at you and go, you
put a firewall in.
I'm gonna move on to somebodyelse. Dang it. Right? They they
are always innovating, and theyare always looking for new ways
to breach. And so we always haveto be innovating.
You, as a as a as a businessowner need to be innovating and
(38:03):
need to be or have somebody inplace that will innovate on your
behalf. Cybersecurity is nottreat it like a journey. Treat
it like you're you're you have aplan and and update that plan,
every quarter with what you'regonna do next in order to
improve your cybersecurityposture. Don't be static. Don't
be that guy or girl or woman.
Justin (38:24):
I mean, you know, I say over and over week after week,
we sit here and we break itdown. We talk about all the the
there's so many recommendations.It's it's I love that we can.
Yeah. We can punch it into AI.
We can get some simple answers.But really, it is it's a complex
problem. It's, as a businessowner, it's easy to get
overwhelmed and to not reallyknow what to do, how to take
(38:46):
action. You know, and we sithere and I I semi jokingly talk
about the Russians are arecoming for us. The breaches that
I've been involved with weremostly Russian based, which is
why I say that.
But we've we've evolved to thispoint where the the root problem
now, it it has this this tag onwhere, yeah, watch out. The
(39:09):
Russians are coming, but,goddamn, it's all the attorneys.
That was just something I didn'twant to know, but I'm glad I do.
And and to to kinda take thispoint home because I, you know,
guys, we talked about at thebeginning. We we live this
world.
We eat, breathe, and sleep thisstuff, and we've got that pull.
What what are clients asking orprospect asking us when they
(39:31):
come to us? What should they beasking us? And so I love to be
able to test my theoriesbecause, does do do my passions,
does my attention, does ittranslate to what what they want
and what they need? So, my myfinal thought for the day as I
was sitting in front of aprospect just a few weeks ago,
and I was explaining thisproblem.
I'm like, breaches are they'rethrough the roof, and I've been
(39:54):
saying that for years. I said,but now it's worse because the
attorneys are coming after thefact, and they're suing us. And
I I could just see the theanxiety and the stress building
in this prospect that I wastalking to, and I was like, but
don't worry. Like, there's avery simple solution to this
problem. We just have to have aplan of action, and we have to
have milestones.
Like, that's it. Right. We justhave to know what we're doing,
have a plan in place, and and betaking these steps. And and I
(40:17):
just you know, in in proving thepoint of the message, I just
watched all the anxiety. Youcould just visibly see it drain
off of her face.
And and, you know, the the dealwas done. The the plan's being
taken care of, and there's onemore person being protected from
both the Russians and thefollow-up attorneys. So, that
was that was a greatconfirmation for me to know that
(40:39):
the message is valid. It'sworking, and and the solution
itself is really what we allneed to be paying attention to.
So those are my final thoughts.
Guys, we're gonna go ahead andsign up. Mario O'Brien, as
always, thank you for beinghere. Brenda, love it when you
make a guest appearance. Youshould do some more often. With
that, guys, say goodbye, and andwe'll see you next week.
(41:00):
Take care.
Barinder (41:01):
Take care, guys. Guys. Have a great
Justin (41:05):
week.
Welcome everybody to episode 39 of unhacked. And,
yes, Mario, your hair is, isjust fine. Pristine, actually.
Mario (00:22):
It's perfect to the group. Right? Minus Brian?
Justin (00:25):
Minus Brian. We're gonna have to kick him out soon
enough. But, I'm I'm feeling badbecause mine's I know I gotta
polish mine. I'm a little bitscruffy. Anyways, alright, guys.
Let's get started here. Quickintroductions. I'm Justin
Shelley, CEO of Phoenix ITAdvisors, and I am here with my
regular cohost, Brian and Mario,and then our, you know, show up
(00:46):
whenever the hell we want,Barinder. Guys, take
Mario (00:48):
a second. Tell everybody who
Justin (00:50):
you are, what you do, and who you do it for, and,
well, let's go in this order.Brian, Mario, Barinder. Brian,
take it away.
Bryan (00:55):
Alright, everybody. My name is Bryan Lashko with b four
Networks. We help businessowners in the Niagara Region,
Ontario, Canada to solve all thefrustrations and headaches that
come with dealing withtechnology.
Mario (01:07):
Alright. Mario Zaki, CEO of Mastech IT, located in, North
Jersey, servicing the entire tristate areas for anybody that has
computers.
Justin (01:20):
Nice. Beautiful, beautiful, Brinder.
Barinder (01:23):
Yeah. Brinder Hans with Red Rhino Networks. We're
based out of, Vancouver, BC.And, similar to these guys,
we're a managed IT servicesprovider, and, we take care of
IT, so so our clients can focuson their business.
Justin (01:37):
Alright. Guys, we all met, you know, we go back, what,
every three months or so, fourmonths, every three months. You
know, we all got together inthis peer group of IT
consultants, and we frequentlysit around and we shoot the shit
and we're, half the time we are,you know, sipping a beer or
something. But one of the thingsat at this most recent
convention that was talked aboutand Mario, I'm actually gonna
(01:59):
punt this to you because youbrought it up. Go ahead and take
this.
What was it that you guys weretalking about?
Mario (02:06):
So one of the questions that was asked to, you know,
about 300 IT companies in theroom was when a business owner,
like a prospect, is looking fora new IT company, what is
typically the most importantthings that they choose when
selecting an IT company? Andeverybody in the room voted that
they feel the, you know, theirrespond the the response time of
(02:29):
the IT company was the mostimportant thing. The fees, like
how much they charge, and theexpertise in the industry. Those
were the top three in that orderthat the majority of the thought
that these when a prospect ischoosing an IT company, this is
the three things that they'reThat's
Justin (02:50):
what they're asking us. Right? They're coming to us
saying how fast are youresponding, what do you charge,
and how good are you?
Mario (02:56):
Yeah. And and when when they asked the same people,
well, what are when what do youthink they should be asking?
What are the top three thingsthat you should be asking? And,
overwhelmingly, the the mostpopular answer was the security.
You know?
Number two was the, you know,the response time. Number three,
(03:18):
if they were like, you know, howclose they are to the to the to
the building. But security forfor for the for when, you know,
asking the prospect or what weyou know, based on conversations
we've had, it ranked number fivein that list where IT people
felt like it should have beennumber one.
Justin (03:38):
Should be number one. And they're coming in with,
maybe maybe that's important.
Mario (03:43):
What else what else? And and, Mario, okay. So that's your
memory of it. Brian, Brendon, doyou
Justin (03:48):
guys have any thoughts on what is it that our prospects
are asking when they come to us,and what should they be asking?
Barinder (03:56):
Yeah. So I was in the room when and I'm thinking about
that question. And one half ofme is thinking like a a a
technology person and thinkingabout cybersecurity. That's the
primary important, item we thinkthey should be focused on
because we understand the riskto their business. But I'm also
(04:16):
of the, belief that our client'salways right.
If they're focused on growingtheir business, they have other
priorities, which is what wehave to think of when we try to
get in their minds, in theirshoes. They do wanna, address
the cost. They do wanna addresshow fast it is because those are
important to their business. Andthis is the unfortunate part of
(04:37):
cybersecurity in my world. Like,a business doesn't gain anything
by investing in cybersecurity.
They just prevent themselvesfrom losing something at best.
And that is important, but riskis a hard thing to quantify. If
you're a very big multibilliondollar business, you have risk
analysts to get you a number ofwhat your risk is, and you can
(04:57):
make good decisions about it.But your typical hundred person,
15 person, whatever companydoesn't have expensive risk
analysts working for you. It'snot a line item that shows up on
your p and l.
And so those are some of thethoughts that were running
through my mind as I'm listeningto this conversation.
Justin (05:14):
Okay. Brian, what are your thoughts?
Bryan (05:17):
So when I was in the room, one of the things that
first popped into my head wasthat, a lot of IT providers
don't really have the maturitylevel that they should. So I
would be looking at the maturitylevel of of the IT provider. And
what I mean by that is it mightbe hard to quantify for most
people, but do they havesystems? Do they have processes?
Look at how they do theirmarketing and how they do their
(05:38):
sales process.
Are they following somethingthat's logically step by step,
or are they just kinda wingingit and and and, going about it
like as if it was the first timethey've done it? I have, you
know, coached a lot of other ITproviders, and a lot of them
don't have any systems, anyprocesses. They they don't
really know how to, you know,organize their business on a day
(05:58):
to day basis. So I would evensay, hey. If I were evaluating
an IT company, show me show meyour playbook.
Show me what you have as far asprocesses and procedures. Do you
have SOPs? Do you have any kindof standardized way to set up a
computer and set up your youryou know, if there is a
cybersecurity incident, show mewhat you would do. Right? And
that would be what I would belooking for because even though
(06:20):
fast response is important to meas a business Improving and
incrementally improving overtime.
And that only comes fromsomebody who is actively working
towards building systems andprocesses in their business.
Mario (06:42):
Yeah. But will the average prospect or average
business owner know to askthose? You know? I mean, yes.
You could educate them whenyou're sitting in there and say,
you know, by the way, you shouldbe looking at that.
But the problem is, I think,when they do look at it, I don't
know they're gonna know whatwhat it really should be. You
(07:03):
know? Like, they don't know whatthey don't know. You know? Like
yeah.
You know? Obviously, you know,comparing a company that has,
like, fifteen, twentytechnicians have been in has
been in business for fortyyears. They're gonna have
process, you know, and and, youknow, some structure versus,
like, a company that's threeyears old that has two people
(07:23):
and something like that. But,you know, a lot of times, those
two people very rarely are inthe the the same room or the
same running
Justin (07:32):
Right.
Mario (07:32):
For for a type of company. So I I I I I agree with
you 200%, but I don't know ifthe average prospect will know
Justin (07:42):
that. And that, Daniel, is exactly why they should be
listening to UnHacked. Yeah.Because we are here to teach
them, to educate them, so it tothe so they know. I mean, you
know, because honestly, theydon't, like listen.
If I'm choosing a doctor, forexample, I have no idea. I don't
even know what I'm looking for.But I know I want the best. I
know I don't, you know, my mygirl just had to go into she had
(08:03):
a torn retina. And, like, adoctor's gotta take a fucking
laser and shoot it into hereyeball.
I don't know how to pick thatguy. I just hope he knows what
he's doing. I I picked this guy.Well, actually, it was a
referral, but I I know he'sflying us, a citation jet
around. His office was busy.
He was full, and and I didn'tsee a lot of people complaining
(08:24):
that they came out blind. But,like, it it is kind of a scary
thing as a prospect when they'repicking an IT provider that is
handling some of the mostimportant assets that they can
quantify. We can't you know,some of these, I don't remember
which of you mentioned. Theycan't quantify risk. But we we
(08:45):
it is incumbent upon us to teachthem and to educate them and
help them make these decisions.
Right? That is one of the mainthings that we do here.
Secondarily, maybe it's even onpar. But I I say this all the
time. I am here to learn.
Right? I'm here to educate. Iwanna teach my prospects, but
I'm also here to learn. And ifyou guys remember back to
(09:06):
episode 27, we had JosephBrunsman on the show, and the
title was something about makingyour making sure the insurance
company pays out in the event ofa breach. That's what's on my
mind.
And if somebody had asked, youknow, if I'd been there, I I
wasn't there this time when thispoll or this question was asked.
But I would have been talkingabout, like, our number one
concern should be keeping thethe Russians out of our bank
(09:27):
accounts. Right? That's what wetalk about. I've got even got my
little, Boris Grashchenko guythat I talk about.
That's who we're fighting. Well,I think I was a little bit
blinds blinded by this. Nowhereon the list that you guys have
brought up and nowhere on mymindset prior to episode 27 was
I talking about the fact thatour biggest fear should be that
we don't get sued after abreach. Like, it's bad enough.
(09:48):
We get we get breached.
They take all our money, andwhatever crumbs are left, the
attorneys come up behind us andsuck that up. Right? It's just
like it it's crazy. I was at, Iwas at an event this morning,
and somebody asked me, what doyou do? I'm like, well, people
call me because stuff breaks,and they want me to fix it.
Right? Response times,everything that we just talked
about. And then I said, butbehind the scenes, what I really
(10:10):
do, what I'm passionate about,what I lose sleep over is making
sure that nobody breaks intoyour bank account and steals
your money. And that if thathappens, god forbid, the
attorneys don't come up and takeeverything else that's left. So
Yeah.
And and this point was even madefurther when we are all you
know, we all jump on this andwe're getting ready to record.
And, Barinter, what did you sayabout these lawsuits that
(10:32):
happened post breach?
Barinder (10:36):
So, yeah. Like, I mean, are we talking about, the
the life lives incident where,we're Well, when
Justin (10:44):
I said, hey. We're gonna talk about, these breaches and
Oh, yeah. Follow-up lawsuits,and you're like, doesn't apply.
Barinder (10:49):
We're Canadian. Yeah. Yeah. We're Canadian. We don't
we're not as litigious as as asa US, but I mean, it does happen
here.
It's not obviously, not the samelevel as a US, but it is
absolutely a concern, and it isrising. That's that's the other
thing.
Justin (11:03):
That's the point.
Barinder (11:03):
Is people need to recover costs, whether it's your
insurance provider, the theindividuals that are affected
and protected by the privacylegislation in Canada. There are
lawsuits. They're rising. And,and there's actually new
legislation on the books thatthe government is trying to work
through. We're just furtherbehind than the EU and The US.
Right. But we will get there. Imean, our legislation on the
(11:26):
books is old.
Justin (11:27):
In in our industry, we are not talking about this. And
so, you know, one of the thingsthat I I love the podcast. I
love everything I learned. Butweek after week, I I do kind of
think we talk about the samestuff over and over a lot of
times, because it is it's a it'sjust a routine. It's it's our
lives.
Right? But this is one examplewhere we can actually get ahead
(11:47):
of something that is a trend.It's getting worse, and it's not
being talked about. And that iswhy I wanted to, kinda introduce
this today. Not introducedbecause we've talked about it.
We have an episode where therewas a $400,000,000 lawsuit on
the the heels of a breach. It'snot that we haven't talked about
it, but the trend is, it'sgetting worse. So let's go
ahead. Guys, let's let's jumpinto this idea of, you know, the
(12:12):
this rising risk. What do we doto get ahead of it?
How do we prepare for it? How dowe make sure it doesn't happen
to us and to our clients? And,Brenda, I'm gonna punt it back
to you because you were the youyou went out. You found a case
study in record time, that doeshappen or did happen in Canada.
And then, Brian, I think you hadone too.
So why don't you guys, talkabout that? And then, Mario, you
(12:33):
better be studying fast becauseI'm I'm coming for you next.
Brenda, go ahead.
Barinder (12:37):
Yeah. Well, the one that affected me personally was
LifeLabs had a breach. LifeLabsdoes, your blood test, your
analysis, and such, and thishappened just before COVID.
Right? And they have this databreach where they lost our blood
test records.
They do all your diagnostics,and and I got an email
afterwards. Yes. You were on thelist of, you know, people whose
(12:59):
data was breached. Butultimately, Canada is, unlike
The US, our fines are verysmall. And the fines that,
Lifelab, I believe, had to paywas something like $1,300,000.
And that's, a paltry sum ofmoney. And, ultimately, when
COVID hit, they got all thecontracts to do all the COVID
testing, everything, so theymade lots of money. But
(13:21):
$1,300,000 is nothing to theseorganizations. It is not a
deterrent for them to invest incybersecurity. So as business
owners, because this one helped,impacted me as an individual,
and that organization is gettingsued.
But as business owners, we needto protect ourselves with
cybersecurity insurance becausewe won't have the same resources
that those connections thatthose companies do, if we get
(13:44):
sued. And Right. That's not thethat's not that's a small one,
but in Desjardins case, they hada $200,000,000 class action
lawsuit after an insider, causeda massive loss of private data.
And so, you know, there are somebig numbers as well.
Justin (14:00):
Okay. Brian, what are your thoughts on this?
Bryan (14:04):
Well, it's it's becoming more and more apparent that the
legal side is is pushing like,insurance and legal side are
pushing the agenda with regardto cybersecurity, like meeting
with a prospect, and talking tothem about cybersecurity. They a
lot of and a lot of times,they're not all that interested.
I mean, they want to havesecurity and they want to be
(14:25):
secure, but it's not theirprimary objective. Right? That
that's the primary objective ofinsurance and legal, and that's
why the agenda is being pushedbecause if you want to have
cyber insurance, they will sayyou have to have these things in
place to us saying, hey.
We need a b c because myinsurance company told me I had
(14:45):
to. Not because I want it, butbecause I'm being told I have
to. With that said, a lot morelawsuits are happening in
Canada, and, and I know it'sit's common practice in The
United States. But in Canada,they're starting to become more
and more prevalent and, thepayouts while Brenda, you laugh
at 1,200,000.0 is is nothing to,you know, LifeLabs. It's a huge
(15:07):
amount to any small company.
Again, that that's that's Yes.Crippling to an organization.
Like, if if I was sued and andit cost me 1,200,000.0, that's
more than our insurance by acouple hundred thousand. Right?
Because, like, we have maybe Iactually think we have
$2,000,000 liability now forcyber insurance.
But anyway, I digress. Thesethese amounts are still they're
still large for a business. Ifyou don't have insurance, you're
(15:28):
kind of you're kind of screwed.And so, having just the basic
protections in place isimportant. And one of the key
cast we had with, one of the themembers that I can't remember
who it was.
But it's basically if you aretold by anybody that you have to
(15:48):
have these five or six things inplace and you dismiss the whole
thing out of hand, that email isthe cha ching email to lawyers.
Right? They're they're lookingat that going you knew and you
didn't do anything about it. Butif you knew and even just
started a journey and say, okay.Let's do the first one and then
we'll work on the second one andthen we'll work on a third one.
And as budgets allow, we'llwe'll we'll keep working on
(16:09):
different things to implement.Now they're looking at it going,
well, they knew they had aproblem, but they were working
towards resolving the issues.And that will go a long way to
reducing any kind of majorpayouts with any kind of legal
Justin (16:24):
yeah. Joseph Bruntman. That's that's the episode that I
mentioned before, and that isthe one who kind of Yeah. Put it
on my radar. Like I said, we'vetalked about it a little bit,
but that was kind of
Mario (16:32):
a you know, it it went from just
Justin (16:34):
it it's out here somewhere to, like, big old
fucking spotlight. Justin, youbetter pay attention to this
right now because, man, I I cameaway from that episode with a
new Exactly. Outlook on thisstuff. Mario, what are your
thoughts on this?
Mario (16:47):
I I completely agree. It it's just like, Joseph, Brunsman
said in our episode 27. It ifyou're showing that you're
putting in the effort, you'reyou're you're doing the
security, you know, like,fortunately, shit happens
sometimes. You know? But theproblem is and I don't know how
it is, with our future fiftyfirst state, you know, right
(17:10):
now.
But in The United States, wethey and it's been like this for
a while. They they have thementality, you know what? I'm
gonna sue this month, you know,sons of bitches. You know? Like,
they have the mentality.
They wanna sue right away. And,you know, sometimes, you know,
obviously, anybody can create acase. You know? Could they win?
Could they lose?
(17:31):
If they show that they, youknow, they took all the proper
precautions, this is thesecurity we had in place, we did
this, we did this, we did this,and should happen, you then you
know, the case is is not there'sno negligence, you know, in
there. You know? And and that'sthe problem is a lot of these
companies will have, like,negligence or somebody, like, I
(17:55):
believe, Justin, you mentioned,I think, in one of the cities
in, I think, Texas, you know,there was somebody there saying,
listen. We need to do this. Weneed to do this.
We need to do this, and theytold them f off. You know? And
then that fire where there's aYeah. Like Yeah.
Justin (18:09):
Thanks for bringing that to our attention. Shut up. And
he didn't shut up. I'm like,alright, you're out. Fire them.
Yeah. You know, not a not agreat great strategy, especially
if the attorneys are sniffingaround.
Mario (18:21):
And real quick, I wanna I wanna talk about
Justin (18:23):
the money because, Brian and Brenda, you you guys are
absolutely right. The good oldUnited States Of America is very
sue happy. And, we don't wedon't play around when we do
this. We we go for the throat.In fact, I had to do quite a bit
of research to find numbers thatwere even, like, meaningful to
our audience because we're we'retalking in the hundreds of
(18:46):
millions.
The the lawsuit settlements, thecost of the breach, and, you
know, and this Equifax. Sothey're a huge company, and I
get it. And these numbers don'treally but but I I wanna make
the case. After all was said anddone, the court mandated
security improvements inaddition to everything else.
(19:08):
Just the improvements they hadto make after the fact was a
billion dollars with a b.
So it's like, guys, you can youcan do security on your own. You
can put the plan of action inplace. You can have your
milestones. You can cover yourass, or you can have the court
system do it for you. And, youmight not find that to your
advantage.
(19:29):
Thoughts?
Barinder (19:31):
Well, so so many businesses shut down after I
made a major data breach. Theyjust don't they just don't
recover. Either they don't getthe assets back because they
lost the data. It was encrypted,and it was broken. They just or
the hackers never released it.
So and that's without even alawsuit. And then the lawsuits
become so crippling. I mean, somany business owners will just
say, hey. I'm done. I don't Idon't want any part of this.
(19:51):
You know? Had a good run. We'reout.
Mario (19:54):
Yeah. Yeah. And the problem is when the the court
mandates it, they're gonnamandate it, like, hard. You
know?
Barinder (20:02):
Like Yes.
Mario (20:02):
A lot like, $1,000,000,000 most likely, you
know, there's a lot of overkillthere. I I don't know any of the
details, but I'm gonna assumethere's a lot of overkill. So
the problem is now not only arethey forcing you to put this
stuff in there, but they'reforcing you to put stuff in
there that you may have neverneeded to put in there. You
know? And at a lower scale,small you know, the smaller
(20:24):
businesses, it's still that'sstill gonna happen.
You know? If a if a CPA'soffice, you you know, gets
breached and, you know, say he'sgot 200 customers' data that was
leaked, They're not gonnamandate them to put a billion
dollar worth of security inthere, but they're gonna mandate
them to do a lot, you know, anda lot of the stuff that maybe
haven't may not have been neededon top of the credit monitoring
(20:48):
and all that stuff.
Justin (20:49):
No. That's a good point. You you may get the option to
make decisions on your own, ifyou do it in the right time
frame, if you do it before youget hit. But Yeah. Yeah.
Once post breach, you you reallythose options are removed from
you, assuming that you survivethe the attack. Right? Assuming
that the business even survives.Mhmm. You know, because all
these costs, what we also don'ttalk about a lot is the
(21:11):
reputational damage.
We're gonna have a guest on hereI'm pretty excited for. He's a
an attorney or he is a partnerin a law firm that does high
profile divorce cases.
Mario (21:22):
And I mean, like, professional athletes and Mhmm.
Justin (21:25):
Hollywood, you know, that kind of stuff.
Barinder (21:27):
Yeah.
Justin (21:27):
And his there's a competing firm in his area that
was breached. So imagine goingout and trying to convince, you
know, a a movie star or thequarterback of your favorite
football team, hey. Let mehandle your divorce case. Oh, I
mean, don't worry about the factthat we got breached. We fixed
it.
You know, it's like the courtmade us do it, but we did do it,
so we're good. You know, likethis reputational damage is is
(21:51):
also something that isn't youyou can't always overcome. Yeah.
Yeah.
Barinder (21:55):
Yeah. Yeah. Especially in a situation like that where
trust is what you're selling. Alot of people Right.
Professional services, trust isking.
Justin (22:01):
And isn't that what we're all selling, though? I
mean, really, what what's thatcommon phrase that people do
business with? The ones thatthey know, like, and trust.
Right? Yeah.
I think I got that right. Buttrust is the keyword. If if you
can't trust the person you'rewriting a check to, I mean, why
are you not writing that check?
Mario (22:17):
Yeah. And one more thing too. It's not only the the that,
but the the trust with yourclients, or your vendors, people
you're working with. You know, alot of times you'll see you'll
just get a random email, youknow, from, like, a vendor or
something, and it look they'relike, oh, click on the
(22:38):
SharePoint link that we sentyou. And, you know, you know
like, we know that it's it'sbad.
It's a virus. They got hackedright away. We know. Like, these
guys are not legit. You know?
But what could end up happeningis you can f in not only infect
your selves, but you can infectyour customers. So, you know,
(22:58):
how long does it take you to getback up and running? Alright?
And, well, how long does it takeyour cost your client to go back
get it back and running? Youknow?
Justin (23:06):
Mhmm. A lot
Mario (23:06):
of times and we see it a lot in the construction agency,
you know, the the niche thatwe're in. You know, like, you
could have, like, a three manelectrical company that's
working with, like, a hugecontractor. And if they breach
that contractor, well, guesswhat? You know? Like, that's
gonna be a huge problem when youyou better bet you better
(23:27):
believe that they're not gonnawork with you again.
You know? So these guys need toalso vet who they're working
with and and stuff like thatbecause they don't wanna be, you
know, infected and, essentially,within their, you know,
ecosystem.
Barinder (23:42):
Yeah. And we've seen that happen in Canada. So a lot
of, obviously, insurance ispushing down a lot of
requirements to, organizationsto be to be acceptable to
receive insurance from them. Butthen, a lot of our clients are
coming to and say, hey. We justreceived this big cybersecurity
questionnaire from one of ourprimary vendors or customers,
and and we can't sell to themand we want their business until
(24:06):
we meet this criteria.
We just need to answer this. Andand and so there's a lot of top
down enforcement, of a lot ofcybersecurity improvements.
Otherwise, you just won't getthe business, which is healthy,
I think, for the for the ITecosystem.
Mario (24:24):
I agree. Yeah. But when it
Barinder (24:27):
comes to insurance, a lot of these lawsuits, sure, the
average individual or the thepeople affected will, will sue
you. But a lot of times, the oneinsurance company sues the
insurance company, and and ifthere's any sort of negligence
or a lack of responsibility bythe end customer, they're all
coming to you to ultimately say,hey. Make us whole.
Justin (24:49):
Coming say that coming to who? The IT company? Is that
what you're talking about?
Barinder (24:53):
No. No. No. I'm talking about the customer, the
end customer. Okay.
Customer gets sued. Yeah.
Justin (24:58):
Yeah. Okay. Yeah.
Mario (25:02):
Yeah. So one So it was a long story.
Justin (25:04):
Yeah. Well, I mean, as I was prepping for this, I'm going
through the, case by case, andthere's there's a lot of them.
Well, point, point a. The what'shard preparing this because our
audience, we are not talking tothe, you know, Equifax companies
of the world. We're talking toour client base, which generally
(25:25):
speaking is smallerorganizations, you know, a
couple hundred employees andlower.
These cases don't make the news.And so then two conclusions
could be drawn. One, I'm toosmall to get hacked. That is a
common misconception. And two,guys, if if these great big re
(25:46):
organizations with seeminglyendless resources are still
getting hacked, what hope do Ihave?
So why does it matter? Like, wejust get into this almost a
hopeless, apathetic state. Andso the point I wanted to make is
that while it's not making thenews, the damage is real. The
numbers are proportionate. Sowhile, you know, I'm talking
(26:09):
about a billion dollarenforcement for Equifax, you
know, my small company is notgonna get hit with a billion
dollar you know, you've gotta dothis much cybersecurity
infrastructure work, but it'sgonna be proportionate in both
my number of employees, the therecords lost, the data stolen,
and the size of my company.
(26:30):
But it's still gonna hurt. It'sgonna be a lot worse than if if
I had chosen to do this on myown, you know, accord before
things got ugly. But, yeah, moreand more, the other thing I saw
as I was going through thesecases is that, you know, the
attorneys are and the courts areare mandating not just to make
(26:51):
the client whole financiallyand, you know, with identity
threat or identity theftprotection, but they're also
coming back to the company andand forcing these technical
improvements, thesecybersecurity improvements. So,
man, this is going back toepisode 27 with Joseph Brunsman.
The simplicity of the solutionis really what struck me.
(27:14):
Like, we're not talking aboutrocket science here. We're not
talking about throwing all ofour money at the problem. We're
just talking about beingproactive and having a plan in
place and acting on the plan.You have to show that you're
acting on it as well. But ifthat's in place, chances are
you're not gonna get breached inthe first place.
God forbid you do. Chances areyou're not gonna get hit with a
lawsuit. And if we go to theabsolute worst case scenario,
(27:37):
you do get hit with a lawsuit,it's gonna be significantly less
than if you were not, proactiveand working on these things. So,
that was that was kind of my mytakeaway from the research and
and prepping for today'sepisode. So, because
Bryan (27:53):
the courts frown on people who are neglectful,
right? If I
Justin (27:55):
mean, that's all it is. Yeah. Yeah. Negligence. Yeah.
Mhmm.
Bryan (27:58):
If you're if you're taking some action and you have
a plan and you're enacting thatplan, it's a lot different than
if you were completely ignoringthe issue altogether. Yeah. And
the courts recognize that.
Barinder (28:11):
I actually think that, most of the the sub 500
companies, the type of companiesthat we work with, I actually
don't think cybersecurity takingcare of the fundamentals is that
expensive. I actually think it'squite affordable, reasonable,
definitely way cheaper thangoing through a breach. If you
take care of the fundamentals,you reduce your risk by, let's
say, 90%. And that last 10%might cost you a lot if you
(28:34):
really have importantintellectual property, important
confidential data that you needto preserve and protect. But
getting to the 90% mark isactually very affordable and
reasonable and prettystraightforward to do as long as
you have a good IT company orcybersecurity company working
with you.
And there's no reason anybusiness shouldn't be doing it.
And if an IT partner isn'tcapable of doing it, I mean,
(28:55):
there's lots of those thatexist, find one. But I don't
think cybersecurity is thatexpensive.
Justin (29:02):
No. It really isn't. And, I but we're I mean, we're
kind of back full circle. We'rewe're back to the beginning now
as somebody who is not trainedand is not this is not their the
life they live. Knowing, youknow, vetting that IT company
does become challenging.
I will I will grant them that. Iposed this question, I think,
was it? I'm not gonna say a namebecause I don't remember. We had
(29:23):
a guest on here. And and the thepushback was, I mean, you're
CEO, you gotta know something.
You know, you gotta do yourhomework. You can't just and,
you know, that's the bottomline. Ignorance is not gonna be
an excuse. Not knowing is notgoing to help you. Not having a
plan of action in place, becauseyou you thought everything was
okay is not going to help you.
The the courts, the attorneysare just gonna say, well, you're
(29:45):
living under a rock. I mean, areare you really not aware of the
fact that companies are gettingbreached day in and day out? We
as CEOs, god, we have to knoweverything. We have to wear all
the hats. And if I mean, I don'twanna be too rude, but if if
that's not the world you wannalive in, then you probably
better find a different gig.
No. Yeah.
Mario (30:05):
I mean, the problem is that it's it's also technically,
it's it's optional. You know?And unlike car insurance in at
least in New Jersey, you know,it's not optional. You wanna
drive, you have to have carinsurance. You know?
As an employer, if you haveemployees, you have to have
workman's comp insurance. Youknow, there's certain things
that are meant you know, ifyou're financing a house, you
(30:27):
need to have home insurance. Youknow, it's not it's not
mandatory. It's optional. Andunfortunately, when people feel
like something is optional andthey have that same mentality
that you mentioned earlier,well, we're too small, you know,
and stuff like that, they'relike, I don't need it.
You know? But it really shouldnot be especially, like, there's
(30:49):
certain industries that itshould be enforced, if not in
all of them. You know? Like, ifyou're dealing with people's
Social Security, if you'redealing with people's credit
card and stuff like that, thisstuff needs to be mandatory.
Justin (31:01):
And everybody is, by the way. Everybody is dealing with
we're gathering thatinformation. If you're taking
payments, unless you're takingcash, you're dealing with,
somewhere you're collecting thatinformation. And while you're
right, it's not mandatory inmost cases. The gathering of
financial data is regulated.
You've got PCI compliance, ifnothing else. If you're in
(31:22):
health care, you're regulated.If you're in and again, I'm
speaking in The United States. Idon't really know the the laws
in Canada, but some of the stuffis regulated. And then, Mario,
Mario (31:33):
it's great to be in that situation where it's not
mandatory until you get,breached and then sued, and then
all of
Justin (31:39):
a sudden, guess what? Now it is mandatory by, court
order. That's where we don'twanna be. That's what we're
trying to prevent. Alright?
Keep it optional, guys. Let'skeep it optional. Yeah.
Barinder (31:48):
I I I get that it's hard to for a business leader
to, assess the risk and makedecisions when it comes to their
IT and cybersecurity, what arebest practices. But I'm pretty
sure all of us on this,conversation here today have
downloadable IT buyers guide,like a a cheat sheet for any
business leaders to be able tomake that assessment for
themselves. Go download it from,you know, any one of our
(32:10):
websites or type in a sentenceinto any one of the AI apps.
Like, what are my cybersecurityfundamentals I need to do based
on a company this size? It'llspit it out to you in two
minutes flat.
And and there's I I thinknowadays with the tools we have,
there's no excuse. We have to beproactive as business leaders.
And and it's not as hard as itused to be, thankfully, and not
(32:31):
as expensive as how it used tobe. The tools that we you just
have to have good IT companiesthat know how to use the tools.
Buying the tools and legacy on ashelf else isn't a very good
idea.
You have to have competentpeople behind the scenes to be
actually, like, use it properly.A lot of the tools actually like
Microsoft three sixty five, ifyou just enable the right
settings, it doesn't even costany money. Just do it.
Justin (32:53):
Well, you know, okay, Mar or, Brenda, you're you're
bringing up something that'sbeen in my mind. You've got,
you've got this mindset of,maybe correct me if I'm wrong.
Have you guys gone to a prospectand said, hey. What are you
doing for cybersecurity? Or areyou sure you're secure?
And you get this answer. My ITguy has it covered. Have you
(33:15):
guys ever heard that?
Barinder (33:16):
Oh, yeah.
Justin (33:16):
All the time.
Barinder (33:17):
And I've I've I've got an anti and I've got an anti
virus.
Bryan (33:20):
Right. And
Mario (33:21):
Yeah. That's fine if you know.
Justin (33:24):
How do you know? How do you know? Because you're writing
a check? You think that's theright answer? You think you're
gonna go to court?
And, like, hey. I've got an ITguy. I wrote a check. Right?
Great.
And they may bring the ITcompany in. It doesn't matter.
It's still your responsibility,mister CEO. Mhmm. But I'll I'll
tell you the simplest in thisI'm going back to Joseph
Bronson.
Love that guy. The answer ispretty easy. You know they've
(33:47):
got you covered if you'remeeting them with them on a
regular basis and you'rereviewing what it is they're
doing to protect you. Andthey're making recommendations
and you have it on a plan.You've got it on a a three year
or five year road map.
That's how you know your IT guyhas you covered. That's how you
know that when you're writing acheck, you're getting what you
pay for. Yeah. So, guys, finalthoughts. We'll move to wrap
(34:10):
this up because, pretty soonwe'll just start looping, which
I love to do, but, nobody lovesto listen
Mario (34:16):
to it. So, let let's go ahead and do final thoughts,
lessons learned,
Justin (34:21):
key points, and then we'll wrap for the week. And, I
go ahead and look forward to ournext guest. Mario, why don't you
take it first, your keytakeaway, Birender, and then
Brian, you can bring us home.
Mario (34:33):
I mean, key takeaway is, you know, always, you know, be
on the lookout. Always see ifyou can, you know, improve in
something. Always get a secondopinion. You know, we always
offer, you know, a free securitynetwork assessment. You know, we
actually offer it all the time.
(34:54):
And I I was sitting withsomebody a week ago, and they
said those exact same words thatyou just said, Justin. My IT guy
has it covered. I just happenedto look over, you know, in the
middle of, you know, the Ilooked over and I saw a computer
that was logged in, and theirantivirus was Kaspersky.
Barinder (35:12):
Oh,
Justin (35:12):
god. And
Mario (35:13):
for anybody for anybody that doesn't know what Kaspersky
is, it's a antivirus that isbased in Russia. It's the
Russians. We always talk about
Justin (35:24):
the Russians are coming. The Russians are coming.
They're, protecting the Russianswith the Russians. Great.
Mario (35:29):
And, you know, I told them, like, well, does he know
that the antivirus that, youknow, you're using, that it it's
not even sold in The UnitedStates anymore? Go ahead and go
to their website.
Barinder (35:40):
It's it's banned in The US now. Yeah. Yeah.
Mario (35:42):
Yeah. You go right to their website. Right up there,
it says this is not availablefor US res you know, for US
residents or companies. I'mlike, you know, right if that
doesn't and and I told them,like, I'm not even gonna
continue with the meeting. Ifthat doesn't show you right now
that he doesn't have youcovered, then I don't wanna
waste your time.
You know? And, you know, itworked. You know? So it's stuff
(36:04):
like that. You always have to,you know, even for us, you know,
we're always, you know, checkingout other things, making sure
we're doing things the rightway.
You know, there there's nobetter way to do it. You you
always have to get at least geta second opinion, you know,
whenever you can.
Bryan (36:20):
Alright. Very good.
Mario (36:23):
Next up, Brenner.
Barinder (36:24):
Yeah. So before I jump into a couple of, final, parting
thoughts, I just wanna share,like, the most preparation for
this podcast, the most Canadianexample of a cybersecurity
breach I could find. So TimHortons, which is as Canadian as
it gets. Right? It's hockey andTim Hortons.
I guess they started, trackinguser location with the app,
(36:45):
without users' consent, and theyultimately settled by offering
customers a free coffee and adoughnut.
Bryan (36:54):
I got mine. Sign me up.
Barinder (36:56):
I know. I I I somehow missed the boat on that. But
Yeah. But that's how lax we areabout these breaches in Canada,
and I think that needs tochange. As far as tips for,
business leaders, to know ifthey're being served well and
things to watch out for is, doestheir IT professional know what
sensitive data they have?
(37:18):
And do they truly feel that'sprotected? In every discovery
meeting, I always ask, what isthe most sensitive data? What
can you be sued for? Obviously,there are Social Security SIN
numbers, for every businessbecause you have employees. But
there's more.
Credit card numbers,intellectual property, there
could be a number of things. Ifsomebody hasn't asked you those
questions, start looking forsome second opinions.
Justin (37:39):
Yeah. Good, Brian.
Bryan (37:41):
Okay. Taking it home. Lessons learned. Cybersecurity
is not static. Cybercriminalsdon't look at you and go, you
put a firewall in.
I'm gonna move on to somebodyelse. Dang it. Right? They they
are always innovating, and theyare always looking for new ways
to breach. And so we always haveto be innovating.
You, as a as a as a businessowner need to be innovating and
(38:03):
need to be or have somebody inplace that will innovate on your
behalf. Cybersecurity is nottreat it like a journey. Treat
it like you're you're you have aplan and and update that plan,
every quarter with what you'regonna do next in order to
improve your cybersecurityposture. Don't be static. Don't
be that guy or girl or woman.
Justin (38:24):
I mean, you know, I say over and over week after week,
we sit here and we break itdown. We talk about all the the
there's so many recommendations.It's it's I love that we can.
Yeah. We can punch it into AI.
We can get some simple answers.But really, it is it's a complex
problem. It's, as a businessowner, it's easy to get
overwhelmed and to not reallyknow what to do, how to take
(38:46):
action. You know, and we sithere and I I semi jokingly talk
about the Russians are arecoming for us. The breaches that
I've been involved with weremostly Russian based, which is
why I say that.
But we've we've evolved to thispoint where the the root problem
now, it it has this this tag onwhere, yeah, watch out. The
(39:09):
Russians are coming, but,goddamn, it's all the attorneys.
That was just something I didn'twant to know, but I'm glad I do.
And and to to kinda take thispoint home because I, you know,
guys, we talked about at thebeginning. We we live this
world.
We eat, breathe, and sleep thisstuff, and we've got that pull.
What what are clients asking orprospect asking us when they
(39:31):
come to us? What should they beasking us? And so I love to be
able to test my theoriesbecause, does do do my passions,
does my attention, does ittranslate to what what they want
and what they need? So, my myfinal thought for the day as I
was sitting in front of aprospect just a few weeks ago,
and I was explaining thisproblem.
I'm like, breaches are they'rethrough the roof, and I've been
(39:54):
saying that for years. I said,but now it's worse because the
attorneys are coming after thefact, and they're suing us. And
I I could just see the theanxiety and the stress building
in this prospect that I wastalking to, and I was like, but
don't worry. Like, there's avery simple solution to this
problem. We just have to have aplan of action, and we have to
have milestones.
Like, that's it. Right. We justhave to know what we're doing,
have a plan in place, and and betaking these steps. And and I
(40:17):
just you know, in in proving thepoint of the message, I just
watched all the anxiety. Youcould just visibly see it drain
off of her face.
And and, you know, the the dealwas done. The the plan's being
taken care of, and there's onemore person being protected from
both the Russians and thefollow-up attorneys. So, that
was that was a greatconfirmation for me to know that
(40:39):
the message is valid. It'sworking, and and the solution
itself is really what we allneed to be paying attention to.
So those are my final thoughts.
Guys, we're gonna go ahead andsign up. Mario O'Brien, as
always, thank you for beinghere. Brenda, love it when you
make a guest appearance. Youshould do some more often. With
that, guys, say goodbye, and andwe'll see you next week.
(41:00):
Take care.
Barinder (41:01):
Take care, guys. Guys. Have a great
Justin (41:05):
week.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Boysober
Have you ever wondered what life might be like if you stopped worrying about being wanted, and focused on understanding what you actually want? That was the question Hope Woodard asked herself after a string of situationships inspired her to take a break from sex and dating. She went "boysober," a personal concept that sparked a global movement among women looking to prioritize themselves over men. Now, Hope is looking to expand the ways we explore our relationship to relationships. Taking a bold, unfiltered look into modern love, romance, and self-discovery, Boysober will dive into messy stories about dating, sex, love, friendship, and breaking generational patterns—all with humor, vulnerability, and a fresh perspective.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.